Jump to content
Welcome to our new Citrix community!

Netscaler Broken Certificate Chain

Jobeth Catimbang

Recommended Posts

Hi guys,


I hope you can enlighten me.

Public >>>> (SSL)>>>>>>Netscaler>>>>>>(SSL)>>>>Backend Server

Questions for clarification
1. Is it okay to install certificate on netscaler only? if not will it lead to broken chain?
2. Do i need to install certificate on both netscaler and Backend server?
3. What if i install certificate on backend server only?

Insights are highly appreciated guys.

Link to comment
Share on other sites

NetScaler is certainly capable of SSL at the Virtual Server and HTTP at the server. However, your web server will send back pages, scripts, and redirects that contain http links instead of https links because your web server isn't aware of NetScaler doing https. Most commercial web site products let you indicate that you're doing SSL Offload. Or you can configure your NetScaler to rewrite the web server responses that contain http to https.

Link to comment
Share on other sites

1. Yes, you can install a cert on Netscaler only. Traffic to the client will not appear as broken because the Netscaler will handle all SSL handshake with the client (for this to occur, do not use SSL_BRIDGE which causes SSL handshake from client to be handled by backend server).


2. No, you do not need a specific certificate on the backend server. You can use HTTP, or just use the default certificate/SSL settings on the backend server. In this scenario, traffic between Netscaler and backend server is still encrypted but the Netscaler will not need to verify that the certificate is from a trusted chain. This is fairly common (using SSL for encryption in transit between NS and backend but not needing SSL for verification/trust, as trust is implied in configuring the backend on the NS).


3. If you don't install a certificate on the backend server, you can use HTTP between client and NS (HTTPS between NS and backend) or HTTPS all the way from client to backend (configured on NS as SSL_BRIDGE type, also known as "SSL pass through").

Link to comment
Share on other sites

What is reporting the "broken chain"?


On Netscaler, when you install a server cert, you must also install the relevant intermediat certs, and then "link" them all together. That way, when a vserver sends out the server cert, it will also send out all of the linked certs (ie the intermediate certs) 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...